Workstation – Google Custom Search Integration

Last Updated March 2, 2023

Security Overview

The Enterprise Search uses 3rd-party integrations to implement a “federal search”. Searches within Workstation are backed by an NLP engine, and a graph database that supports a great user experience. 

Workstation Enterprise Search doesn’t index 3rd-party data on an independently searchable database. 

See below sequence diagram describes the searching algorithm: 


  1. Cache layer saves results for a period of five minutes
  2. Each Adopter Service creates a unique identifier for the results which is meaningless without access to the 3rd-party and stores it in the graph database

3rd-Party Access and Refresh Tokens

To activate the Enterprise Search (and the Personalized Workspace widgets), each employee is required to grant Workstation permission to access the 3rd-party. 

Each time a new access token is granted to the Workstation, the application will encrypt the access and refresh tokens and store it in a remote database. 

The encryption process includes a unique private key (“salt”) that is generated for each individual at the very first bootstrap and stored in the local machine Keychain.

The salt is irreplaceable and not restorable – losing it causes the access tokens to be voided.

This security measure is being taken to eliminate identity spoofing when accessing high-sensitive data.

See the image below to review the salt generation and storage flow.

Accessing 3rd-Party Content

The third-party apps are being approved and verified by third-parties products. 

By the end of the granting process, the third-party apps provide access and refresh tokens that are used by the search engine to establish the requests.
See 3rd-Party Access and Refresh Tokens section above for more information about the storing mechanism.

While searching, the search engine forwards the request, before hitting the Adopter Service, through the Token Injector; a service that injects the relevant tokens to accomplish the request.

The local private key is being handed off over the search HTTPS request for runtime decryption.

JWT Protection

When an end-user initiates a search query – the WalkMe enterprise search starts a search flow that is being protected by a JWT assigned by WalkMe IdP integration, as part of the user signing flow:

The JWT is proxying the user identity and keeping any HTTPS request secured and individual. 

All Workstation requests are protected by a JWT validation. 

  1. Go into Google’s documentation on Creating a Programmable Search Engine
  2. Follow the instructions using your Google Account (get an account if you don’t have one). In the Sites to search section, add the pages you want to include in your search engine.
  3. After creating your search engine, in the Overview screen copy the search engine ID.
  4. Custom Search JSON API requires the use of an API key. An API key is a way to identify your client to Google. Get a Key by clicking the button in this documentation.

  5. Copy the API Key.
  6. Login to Console to configure the parameters copied in the Integrations page.
  7. The integration will appear in the Integrations tab of the app’s Settings

Was this article helpful?

Thanks for your feedback!

Select account type

< Back

Mobile account login

< Back